Mining Threat Intelligence about Open-Source Projects and Libraries from Code Repository Issues and Bug Reports

TL;DR

This paper presents a method to extract and store threat intelligence from open-source project issues and dependencies, enabling security-aware querying and alerting for software developers.

Contribution

It introduces a system that mines threat intelligence from bug reports and tracks dependencies, integrating this data into a security knowledge graph for proactive security management.

Findings

Effective extraction of threat data from public repositories

Dependency tracking enables vulnerability awareness

Knowledge graph supports security queries and alerts

Abstract

Open-Source Projects and Libraries are being used in software development while also bearing multiple security vulnerabilities. This use of third party ecosystem creates a new kind of attack surface for a product in development. An intelligent attacker can attack a product by exploiting one of the vulnerabilities present in linked projects and libraries. In this paper, we mine threat intelligence about open source projects and libraries from bugs and issues reported on public code repositories. We also track library and project dependencies for installed software on a client machine. We represent and store this threat intelligence, along with the software dependencies in a security knowledge graph. Security analysts and developers can then query and receive alerts from the knowledge graph if any threat intelligence is found about linked libraries and projects, utilized in their products.